WannaCrypt – My Understanding Of It So Far

I’ve been intending to write about this since the day it hit, but like most any new malware, the scene surrounding it changed almost minute by minute, meaning that anything I did try to write, if I had, would have been obsolete information by the time I published, so I sat back over the weekend and watched the information update.

Now, what I say here is my story on learning of this outbreak, in conjunction with what I’ve grown to understand about the malware itself, it’s behaviour, and my understanding of how Windows works in general. This is a very complex, ever changing issue, so I could be mistaken on some things. Take the information for what you will, and do your own research as well.

Now to the story proper.

The night of Friday, May 12th I saw a video from YouTuber Barnacules Nerdgasm, a former Microsoft employee and all around computer guru stressing the importance of installing the most recent Windows updates to your machine to protect it against infection from a piece of malware known as “WannaCry” or “WannaCrypt.”

WannaCrypt is a two part beast: at it’s core, it’s ransomware, it encrypts your files and demands a payment of at minimum $300 in Bitcoin for them to (supposedly) provide the decryption key. From there, an infected system will also scan the network for other systems that it can attack, and send the virus to those systems as well – once there, thanks to the way it was designed, it would execute itself, encrypting that machine and starting the process all over again. An absolute hell of a situation to be in.

The horrific thing is that this virus seems to be based on code released from tools the NSA used to develop surveillance software to monitor peoples computer usage – an already horrific thought – and this code has now been turned into an active attack against us. It’s insane, to say the least, to think of this being the situation we are in.

In a panic I went through and indeed made sure every machine I had was updated – the way the video made it sound, and indeed the way things seemed to be at that time, Wannacry felt like the most dangerous virus ever, both encrypting your hard dist, the ransomware component, as well as a worm component, which made use of an exploit in the Windows “Server Message Block” service to attack everything on the local network.

At this early stage it was seemed that the virus could attack any computer, and was actively probing the entire internet for more systems to infect, but this doesn’t entirely seem to be the case now, as all evidence of attacks seem to stay contained to local networks – businesses, basically, are getting hit, and not so much the average user, for whatever reason. In fact, I’m just not finding cases of individuals getting hit hard.

The virus seems to originate from your typical malware infested email, or so the best information I can gather states – once active, it exploits the aforementioned SMB flaw to attack systems. Here’s the thing about the SMB attack though – it’s an element of Windows that was patched back in March, so the worm element is only really able to spread, or so my understanding is, via systems that are running unpatched: Older systems like Vista and XP, or Windows 7 and 8 systems that aren’t up to date.

In an odd move, Microsoft has actually released patches for Windows 8.0, Vista, and XP to help combat this, as well as of course Windows 7 and Windows 8.1, which unlike the latter operating systems, are still supported officially. This at least stops the spread once a system is infected, but it does not stop a system from becoming infected – that’s for Antivirus to do.

Getting back to WannaCry itself, the first version was actually stopped dead as, for whatever reason, the software checks against a rather random URL and sees if it is registered – if it is, the virus does nothing. If it isn’t, it does what it’s supposed to do. While unaware that it was actually a kill switch function, the URL was registered by twitter user MalwareTech and that was that – the 1st outbreak was stopped in its tracks, at least so long as a system that does get infected can “access” the registered domain – if not, due to computer network restrictions or some other reason like going offline, the malware still will behave as normal.

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

It wasn’t long though before a second version, without this kill switch, was released, and continued it’s havoc.

Coming to today, so far I’ve found no additional information as to how many people came to work this Monday morning to discover their systems compromised – I’m certainly going to pay attention to this as it passes, and try my best to gather information as I can.

That all being said, what do I actually think of this?

Needless to say, this is one of the largest attacks ever. That goes hand in hand though with scale, as there are more computers out there than ever before, but that doesn’t change the damage it can, or certainly has already caused.

This reminds me of my teen years and hearing about the Code Red and Nimda worms, which back in the early 2000’s caused absolute chaos among many businesses of all types – those worms however didn’t have the ransomware element attached (as such really didn’t exist back then) and so while disruptive, they could be removed without too much issue down the line. Wannacrypt leave no safe option – if you don’t have off-system backups, you are, for lack of a better phrase, fucked.

Now, interestingly, famed virus-demonstration YouTuber Danooct1 has tested a sample of the original WannaCrypt malware on a non-networked virtual machine setup and honestly? It looks rather typical.

That’s really the crazy thing: WannaCrypt is a pretty normal ransomware with the incredibly dangerous worm element thrown in – it’s not a matter of it doing anything new, but blending two elements and using higher end hacking tools that are now out in the open to do what it has done. It’s truly the sheer capability it had to spread the damage it does that made it so terrifying.

Now, I’m not doing to say there is nothing to worry about for the average user – far from it, but I will say you are probably safe so long as you don’t open any stupid emails and maintain normal, safe browsing habits.

Please, keep your systems updated, don’t open email attachments unless you know for sure you are supposed to be receiving this exact file (if you can find an alternate transfer method, like FTP on a server you have access to, better to use that than email) and make sure your firewall is set up correctly, JUST in case.

I personally use the old, but still decent Shields Up as a general test of my port accessability from outside of my local network, and so far it’s done fine by me to assure me my systems are safe enough from random port probing.

Just please, take this seriously, but don’t let it interfere with your computer usage.